Slashdot Mirror

Randy Lewis is still active in the spider-goat research field. His group has had a small herd of about 30 of them at Utah State University for years. Current research seems to focus on separating the silk from the milk.

The sort of person who would freely join a union is unfit to teach.

"Special education" is frequently exorbitantly expensive, more expensive than one full-time tutor per student (easily over $100,000 per year). The return on investment is zilch, and certainly not a responsible use of taxpayer money. If a child's mental potential is limited to basket weaving, spending 12 years in a futile effort to teach him to read does no good.

The claim that schools need more money is false. In 2013, the average spent per pupil was $10,700. The correlation between money per pupil and educational outcome is very weak and not always positive. http://digitalcommons.usu.edu/cgi/viewcontent.cgi?article=1020&context=gradreports [pdf],

Try teaching kids who are hungry, exhausted, and homeless

Don't change the subject. That condition describes very few children, and is irrelevant to the central issue of education being poor for most students.

Stop teaching garbage like Common Core and the latest Politically Correct dung.

Adding link.

http://ion.chem.usu.edu/~sbial...

• * We had an alert clerk notice that "something was off" when 3 people tried to sweet talk their way into a storage area. She flirted with them, while her co-worker called campus security. The cops had the penetration team spread and handcuffed before they could present their "Get Out Of Jail" documentation. Even then, they kept them handcuffed, until the cops called and verified the documentation. It was the first time that the penetration team had EVER had to use their documentation. I personally called and thanked everybody. I also arranged for the clerk to get a 2 pound box of the local Blue Bird Chocolates: http://bluebirdcandy.com/
• * When we started our "Internet Skeptic" awareness campaign: https://it.usu.edu/computer-se... we would send a coupon for a free Aggie Ice Cream Cone: http://aggieicecream.usu.edu/ to the first person to report a new phish.
• * Later, we found that prompt, public thanks worked as well as ice cream. We would promptly analyse every report, and then send out 2 sets of emails. The first would be the thank-you to the reporter. It included: Personalized thanks; A description of the scam; A report of how many others at USU were warned, thanks to their alertness. The second set of email would go out to everybody who had received a copy of the phishing scam. It included: A notification that the prior message was a fraud; Instructions for how to recover, if they had fallen for the fraud; A report of how many others also received the phish; A public acknowledgement of the alert reporter.
• * This spring, we had a "Phishing Tournament" with various awards for reporting fraudulent emails. The grand prize was a tackle box full of goodies.

The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.

• * We had an alert clerk notice that "something was off" when 3 people tried to sweet talk their way into a storage area. She flirted with them, while her co-worker called campus security. The cops had the penetration team spread and handcuffed before they could present their "Get Out Of Jail" documentation. Even then, they kept them handcuffed, until the cops called and verified the documentation. It was the first time that the penetration team had EVER had to use their documentation. I personally called and thanked everybody. I also arranged for the clerk to get a 2 pound box of the local Blue Bird Chocolates: http://bluebirdcandy.com/
• * When we started our "Internet Skeptic" awareness campaign: https://it.usu.edu/computer-se... we would send a coupon for a free Aggie Ice Cream Cone: http://aggieicecream.usu.edu/ to the first person to report a new phish.
• * Later, we found that prompt, public thanks worked as well as ice cream. We would promptly analyse every report, and then send out 2 sets of emails. The first would be the thank-you to the reporter. It included: Personalized thanks; A description of the scam; A report of how many others at USU were warned, thanks to their alertness. The second set of email would go out to everybody who had received a copy of the phishing scam. It included: A notification that the prior message was a fraud; Instructions for how to recover, if they had fallen for the fraud; A report of how many others also received the phish; A public acknowledgement of the alert reporter.
• * This spring, we had a "Phishing Tournament" with various awards for reporting fraudulent emails. The grand prize was a tackle box full of goodies.

The small amount we spend on thanks was more than repaid by the savings created by a community of alert, careful internet skeptics.

This would be a skeptical perspective, there are various other wrong arguments. As it happens it's one of the better wrong arguments available, but still insufficient. Links are likely to be first resource available rather than an authoritative source; the nice thing about empiricism is that it's consistent.

Doubling the concentration of CO2 in the atmosphere increases global surface temperatures by 1.16 K.

Yes, that's a reasonable figure.

we are not far off the conditions of CO2 starvation for plants where all plant life dies, since they evolved in an atmosphere of 2000 ppmV CO2

Carbon dioxide levels have not been at that level for since, what, the mid-Cretaceous? Tens of millions of years at any rate. For most crops the saturation point will be reached at about 1,000—1,300 ppm under ideal circumstances., higher levels inhibit growth. There are any number of studies which bear these figures out, but as it happens I have also personally experimented with gardening with supplemental CO2, and with my hydroponic setup anything higher than 1500 ppm produced noticeably less healthy plants.

...[plants] rapidly absorb human-emitted CO2..."

If plants were starved for CO2, we would not be seeing the global concentration rising. This also misses a much better argument. In the first decades of the 20th Century, AGW was discredited for a number of reasons, the relevant one being that it was thought that the oceans would be able to absorb and buffer any increase of CO2. There is 50 times the amount of dissolved carbon in the oceans than there is in the atmosphere, and it seemed obvious that anything happening to the atmosphere would necessarily be minor. That turned out not to be the case.

the lifetime is certainly under 10 years and possibly as short as 10 months

This is an extraordinary claim. I would ask you to provide a citation from a reputable journal, but I cannot imagine that a claim so blatantly unphysical would ever be accepted into a reputable journal. However, it's clear that the excess carbon is not being sequestered; however long it stays in the atmosphere is irrelevant to whether it is increasing.

The debate is entirely about what the effect of water vapor (clouds have) on these sensitivities.

Clouds are not water vapor, actually, they're condensed water. Water vapor is the stuff that's not visible. The Earth is actually opaque to IR. Water vapor and CO2 in the laboratory have a very strong feedback effect. Clouds do not cover 100% of the Earth's surface, but water vapor does, so we should intuitively expect that clouds should not have a greater effect than water vapor. Also, since it is undisputed that clouds also contribute to warming, the required negative feedback would need to be that much greater. Given that the positive feedbacks are as you say of alarming magnitude, this negative feedback should be fairly obvious. And yet no skeptic has been able to propose a mechanism. Sufficient evidence has not been presented to overturn the IPCC results.

Meanwhile the skeptics believe the IPCC computer models are wrong

Of course they are, "all models are wrong, some are useful". Modeling that atmosphere in two dimensions or as a column of gases is a very easy way to demonstrate the warming effect. But having an accurate or inaccurate model is irrelevant to whether the observations that it's built on are correct. You need the observat

• * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
• * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
• * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
• * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
• * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

More info is available here:

• * More background on our abuse reporting: https://it.wiki.usu.edu/SingSi...
• * Our abuse report email template: https://it.wiki.usu.edu/2013Si...
• * Our list of institutional scans: https://it.wiki.usu.edu/201302...

• * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
• * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
• * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
• * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
• * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

More info is available here:

• * More background on our abuse reporting: https://it.wiki.usu.edu/SingSi...
• * Our abuse report email template: https://it.wiki.usu.edu/2013Si...
• * Our list of institutional scans: https://it.wiki.usu.edu/201302...

• * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
• * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
• * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
• * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
• * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

More info is available here:

• * More background on our abuse reporting: https://it.wiki.usu.edu/SingSi...
• * Our abuse report email template: https://it.wiki.usu.edu/2013Si...
• * Our list of institutional scans: https://it.wiki.usu.edu/201302...

I do network and computer security for a university. In the last couple years we have received a couple alerts from the FBI. The info was fairly old and limited in scope. And, they didn't want us to share the info with those who really needed to have it.

In the same period, the Chinese government has instituted a program of rigourous scanning and vulnerability assessment against my university. If I pay close attention, I discover all kinds of useful information. They have shown me 0-day exploits. They have taught me devious manipulations. They have even taught me a ingenious method of detecting firewall failure.

The Chinese give me daily updates on the latest hacking techniques. They never complain if I share the info. And they don't waste my time with meaningless paperwork. If I wasn't getting it for free, I would be willing to pay for this service. I don't understand why my government can't be as helpful

I do network and computer security for a university. In the last couple years we have received a couple alerts from the FBI. The info was fairly old and limited in scope. And, they didn't want us to share the info with those who really needed to have it.

In the same period, the Chinese government has instituted a program of rigourous scanning and vulnerability assessment against my university. If I pay close attention, I discover all kinds of useful information. They have shown me 0-day exploits. They have taught me devious manipulations. They have even taught me a ingenious method of detecting firewall failure.

The Chinese give me daily updates on the latest hacking techniques. They never complain if I share the info. And they don't waste my time with meaningless paperwork. If I wasn't getting it for free, I would be willing to pay for this service. I don't understand why my government can't be as helpful

I do network and computer security for a university. In the last couple years we have received a couple alerts from the FBI. The info was fairly old and limited in scope. And, they didn't want us to share the info with those who really needed to have it.

In the same period, the Chinese government has instituted a program of rigourous scanning and vulnerability assessment against my university. If I pay close attention, I discover all kinds of useful information. They have shown me 0-day exploits. They have taught me devious manipulations. They have even taught me a ingenious method of detecting firewall failure.

The Chinese give me daily updates on the latest hacking techniques. They never complain if I share the info. And they don't waste my time with meaningless paperwork. If I wasn't getting it for free, I would be willing to pay for this service. I don't understand why my government can't be as helpful

I do network and computer security for a university. In the last couple years we have received a couple alerts from the FBI. The info was fairly old and limited in scope. And, they didn't want us to share the info with those who really needed to have it.

In the same period, the Chinese government has instituted a program of rigourous scanning and vulnerability assessment against my university. If I pay close attention, I discover all kinds of useful information. They have shown me 0-day exploits. They have taught me devious manipulations. They have even taught me a ingenious method of detecting firewall failure.

The Chinese give me daily updates on the latest hacking techniques. They never complain if I share the info. And they don't waste my time with meaningless paperwork. If I wasn't getting it for free, I would be willing to pay for this service. I don't understand why my government can't be as helpful

A few crypto products need efficiency and performance. But, many don't. Many existing products are optimized for efficiency and performance, even when these goals are contrary to the stated goals of the product. Frequently, crypto solutions unnecessarily limit the size of keys. They extend the lifetime of keys. They limit the number of available keys. In many cases, all three of these latter goals are false savings.

We rarely use symmetric crypto, even though it is frequently simpler and more robust. Public Key is almost always preferred, even when it is easy to distribute keys.

Reliable, trustworthy sources of truly random numbers seem to be very useful, inexpensive, and straightforward to create. See: http://en.wikipedia.org/wiki/C...

If we are interested in secure communications, it should be normal and expected that we would pick up several hardware random number generators. We should have multiple simple, robust, trustworthy tools to generate symmetric keys. We should have multiple tools to utilize simple, robust, trustworthy symmetric crypto.

Instead, we seem to focus on always using a single complex public key solution even when it is not appropriate.

In my ignorance, I have been trying to map out a simple, robust tool for system administration, that makes use of symmetric crypto. See: https://it.wiki.usu.edu/201501...

I would really like to learn that I have been wasting my time.

https://it.wiki.usu.edu/ssh_de...

We try to use multiple overlapping security layers to protect SSH:

• * If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
• * Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
• * If possible, treat the SSH Port as a shared secret. Then, only interesting, targeted attacks find the SSH server. In many situations, this gives you very real protection. This protection is based on the very real increase in cost for an attack to find and attack an SSH server on an alternate, properly obscured port.
• * The SSH server should not allow known usernames including root. The attacker must find a username.
• * Motivated admins should use 2-factor authentication to access their critical SSH servers.
• * Admins are trained to create good passwords for their usernames.
• * SSH users should verify the identity of their systems when they first connect.
• * System admins must regularly review the activity of their SSH servers.
• * Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• * We have SSH Honeypots that help us track, understand and respond to SSH attack. These Honeypots allow us to track which credentials are being attacked. They give us advance warning when a institutional credential is attacked. And, analyzing the use of unique credential lists gives us insight into our attackers.

Much of this work can be automated. The rest is excellent training material for new security recruits and interns.

Looking back, the main change I should have made to improve our SSH protections would be to default block incoming TCP/22 at the border years ago. Then, only allow it for groups that can show they use it to provide services to a large community. Anybody using SSH for administration can change the SSH port.

I admit it. I can't get the story of GamerGate straight. And do you know why I can't get GamerGate's story straight? Because GamerGate themself can't get their story straight. GamerGate's story keeps changing every day. (Of course every time it has always been their story, like the war with Eastasia.)

I assure you, this is absolutely the first time I've heard anyone from GamerGate even claim that they have addressed corruption around Shadows of Morder. When I addressed this in a conversation with a GamerGater a few weeks ago, he said exactly that it was okay, because it was a good game, and that it was the terrible corruption around Depression Quest that was the real reason for GamerGate. I've heard other GamerGaters explain that it wasn't really corruption because it was marketing and surely a company should be free to do that sort of thing? I have never seen this addressed in the name of GamerGate, I have never seen anyone claiming affiliation with GamerGate address this. And you are the first person I've met who claims that GamerGaters have addressed this. But maybe they have. Still, they're not giving remotely as much attention to it as they're giving to Depression Quest.

As for slurs, you claim that all the slurs come from the anti-GG side, and yet all the slurs I've seen first-hand, have come from people defending GamerGate. A post about random racists on the internet (props to the person who addressed that, by the way) recognizing an image apparently related to GamerGate (I admit I wouldn't have recognized it as such) doesn't exactly prove that they are representative for people opposing GamerGate. Everybody I know who has criticized GamerGate (and of all the gamers I know, nobody supports it) is quite the opposite of that.

I'm not claiming that all critics of GamerGate are perfect. Every random group of internet people has its fair share of bastards, but the bastards don't dominate as much as they seem to dominate in GamerGate. There's a very good reason why GamerGate has such a terrible reputation. That didn't come from nothing; it is exactly because of the behaviour associated with GamerGate. Read Ken White of Popehat has to say about it. The only people who claim to have a positive impression of GamerGate are the GamerGaters themselves. And their story is honestly not very credible considering the chat logs where they discuss how to sell their story to the outside world, and what stuff they shouldn't be doing anymore. The end result is that by now, their story sounds quite reasonable to anyone not familiar with the history. But most people have a better memory than GamerGaters realize.

University of Utah confirmed that threat was completely un-credible and there was no credible threat to the students or anyone else.

Are you aware that they have a website? Read it. They confirm the threat, and they increased the security, but they also say that, according to Utah law, they can't ban weapons.

Right there on the same website Psmears:

Throughout the day, Tuesday, Oct. 14, USU police and administrators worked with state and federal law enforcement agencies to assess the threat to our USU community and Ms. Sarkeesian. Together, we determined that there was no credible threat to students, staff or the speaker, and that this letter was intended to frighten the university into cancelling the event.

None of it, expect of course that the University of Utah confirmed it, and a lot of people there have received this message. Read it for a fine example of crazy reactionary misogyny.

University of Utah confirmed that threat was completely un-credible and there was no credible threat to the students or anyone else. Once again you are so woefully uninformed about the most basic of facts that I wonder if you even so much as googled any of this before posting.

I couldn't find a source to back that up; instead, googling showed that the University of Utah prepared to enhance their security as a direct result of the threat. Or did I miss something? It's admittedly quite hard to search for without the results getting swamped with gamergate coverage of one sort or another...

Its not about what its OK to be offended about: its that THREATS of EXTREME VIOLENCE are not okay.

No-one is saying that they are. But such threats are being conflated with trivial criticism under the nebulous umbrella term "harassment".

Don't even attempt to deny that such conflation is taking place. It forms the basis for the waves of censorship seen over th elast three months. Actual death threats -- not even actionable ones -- against the "damsels in distress" so beloved of journalists have numbered, to date, four. Anita Sarkeesian has threats from one twitter account, and an anonymous email threat which Utah University saw no need to enhance its security measure for. Brianna Wu recieved another set of twitter death threats under farcical circumstances. Zoe Quinn has also allegedly recived death threats, though whether this was from the dubious Hawaii phone number doxxing is unclear. If this sounds uncharitable, note that by this point, after all the slander and lies of the last few months, gamers are too jaded to simply "listen and believe" without firm evidence.

Meanwhile gamers have received extensive harassment from the often racist proponents of so called "social justice", which from gamers point of view amounts to little more than extremist bullying. It took almost two months before the media begrudgingly even hinted that such attacks on gamers might be taking place.

Meanwhile each angry tweet at an appropriate damsel in distress is readily spun into an internet wide crisis now requiring government and industry intervention and a new age of censorship infrastructure. But we can be assured that the harassment and bullying from corrupt journalists and their cronies will continue unabated, and it will be only the protests and resistance from geeks which will be stifled.

When the new proposals for censorship in the name of "combating harassment" appear over the next few weeks, don't say you didn't recieve fair warning.

And the award for misinterpreting research goes to...

Did you actually read the paper? It's about the benefit of adding different kinds of light in strong white light and finds that green helps most in such a situation because the oversaturation of the outer chloroplasts from red and blue light. There are, of course, countless papers out there that show the main actually tested usage of light is poorer for green, including research that cites that paper (the one I linked found that in some circumstances giving more green light can actually decrease growth - so hey if you like burning more energy to decrease your plants growth...)

Here is the guide we provide to the SSH users at our University: https://it.wiki.usu.edu/ssh_description

Some of the major points:

• We try to use multiple overlapping security layers to protect SSH:
• * The firewall limits the vulnerable scope of SSH to a few trusted hosts.
• * The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port.
• * The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
• * The SSH server should not allow known usernames including root. The attacker must find a username.
• * The admin is trained to create good passwords for his usernames.
• * SSH users are taught to verify the identity of their systems when they first connect.
• * System admins must regularly review the activity of their SSH servers.
• * USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• * USU has SSH Honeypots that help us respond to SSH attack.

If USU is any indication, China constantly attacks universities. China accounts for at least 1/2 of all attack that arrives at the USU border. See: https://it.wiki.usu.edu/20120301_ScanSummary

Many of these attack appear to require favorable quality of service packet delivery. We frequently see flawless packet delivery in high speed Chinese scans and Chinese vulnerability assessments. Currently, we are receiving a comprehensive Chinese vulnerability assessment every 5 days. It would be a great service if we had paid for it. And if they would share the results with us :) See: https://it.wiki.usu.edu/20120101_China_Test

Miles

If USU is any indication, China constantly attacks universities. China accounts for at least 1/2 of all attack that arrives at the USU border. See: https://it.wiki.usu.edu/20120301_ScanSummary

Many of these attack appear to require favorable quality of service packet delivery. We frequently see flawless packet delivery in high speed Chinese scans and Chinese vulnerability assessments. Currently, we are receiving a comprehensive Chinese vulnerability assessment every 5 days. It would be a great service if we had paid for it. And if they would share the results with us :) See: https://it.wiki.usu.edu/20120101_China_Test

Miles

We provide instructions to our users to help them setup and manage their SSH servers: https://it.wiki.usu.edu/ssh_description

We detect, document, block and report SSH portscans and SSH password guessing. We also have several SSH honeypots setup to collect lists of attack credentials. We check the honeypots to see if a USU credential has been exposed. A while ago, the FBI came by and asked about 9 IP addresses used in a hostile government sponsored attack. We were able to document that they had been detected and blocked. We were also able to provide the credentials that the attackers used.

When we first started reporting attack, the response was very poor. But now, about 1/3 of the abuse reports (to non-Chinese sources) result in confirmed, remote resolution. Now, almost all ISP's, CERTs, and large organizations are eager to receive a polite, accurate, and detailed abuse report. It is the easiest (and most common) way to learn that you have a compromised system.

As you have noticed, the hardest part is determining the proper point of contact. Most of the time, we can find one by carefully searching the whois and DNS information.

Our rational for documenting and reporting attack is given at: https://it.wiki.usu.edu/SingSingRational It includes:

USU IT Security attempts to document all attacking IPs on Singsing. This accomplishes 3 primary goals:

• * It creates memory of how USU is attacked. We need to know how we are attacked, so our defenses are anchored in reality.
• * It blocks attacking IPs at the USU border. We can specify a duration that is appropriate to the occasion.
• * It notifies the owner/ISP of the computer that they are attacking USU. Usually they are also innocent victims.

Lately (March 2012), at least 1/3 of the abuse reports (to non-Chinese sources) appear to result in remote resolution.

In addition, documenting/blocking/reporting has important secondary benefits:

• * Once a week, summary reports go out to our peers across the state, and to the FBI.
• * It keeps USU IT Security from developing the habit of ignoring attack.
• * Blocking attackers gives us a great deal of satisfaction. (Normally, we can't get no.)
• * It sends a message to attackers, that USU is not cheap, soft pickings.
• * We have demonstrated a couple times that the number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs.

Finally, we are convinced that reporting of compromise/attack is one of the few pathways that can lead to a more secure internet.

• * Computer owners/admins must know about their compromise to make sound decisions.
• * The current hacking environment is controlled by the economics of hacking. Reporting attack/compromise increases the risk/cost of hacking and decreases the reward.
• * If we help others to know they have problems, maybe someday, somebody will have similar mercy on us.

Miles

We provide instructions to our users to help them setup and manage their SSH servers: https://it.wiki.usu.edu/ssh_description

We detect, document, block and report SSH portscans and SSH password guessing. We also have several SSH honeypots setup to collect lists of attack credentials. We check the honeypots to see if a USU credential has been exposed. A while ago, the FBI came by and asked about 9 IP addresses used in a hostile government sponsored attack. We were able to document that they had been detected and blocked. We were also able to provide the credentials that the attackers used.

When we first started reporting attack, the response was very poor. But now, about 1/3 of the abuse reports (to non-Chinese sources) result in confirmed, remote resolution. Now, almost all ISP's, CERTs, and large organizations are eager to receive a polite, accurate, and detailed abuse report. It is the easiest (and most common) way to learn that you have a compromised system.

As you have noticed, the hardest part is determining the proper point of contact. Most of the time, we can find one by carefully searching the whois and DNS information.

Our rational for documenting and reporting attack is given at: https://it.wiki.usu.edu/SingSingRational It includes:

USU IT Security attempts to document all attacking IPs on Singsing. This accomplishes 3 primary goals:

• * It creates memory of how USU is attacked. We need to know how we are attacked, so our defenses are anchored in reality.
• * It blocks attacking IPs at the USU border. We can specify a duration that is appropriate to the occasion.
• * It notifies the owner/ISP of the computer that they are attacking USU. Usually they are also innocent victims.

Lately (March 2012), at least 1/3 of the abuse reports (to non-Chinese sources) appear to result in remote resolution.

In addition, documenting/blocking/reporting has important secondary benefits:

• * Once a week, summary reports go out to our peers across the state, and to the FBI.
• * It keeps USU IT Security from developing the habit of ignoring attack.
• * Blocking attackers gives us a great deal of satisfaction. (Normally, we can't get no.)
• * It sends a message to attackers, that USU is not cheap, soft pickings.
• * We have demonstrated a couple times that the number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs.

Finally, we are convinced that reporting of compromise/attack is one of the few pathways that can lead to a more secure internet.

• * Computer owners/admins must know about their compromise to make sound decisions.
• * The current hacking environment is controlled by the economics of hacking. Reporting attack/compromise increases the risk/cost of hacking and decreases the reward.
• * If we help others to know they have problems, maybe someday, somebody will have similar mercy on us.

Miles

Ugh ....
Maryland - Goddard Space Flight Center
New Mexico - AF Research Lab - Space Vehicles, Sandia Labs, Los Alamos Labs
Colorado - Ball, Raytheon, etc
California - JPL, Livermore Labs and way too many others to list
Virginia - Navy Research Lab, Wallops Island
Texas - UT Dallas, Texas A&M, Johnson Space Center, many more
Arizona - Orbital Sciences Corp., GD, etc
Tennessee - Oakridge
Alabama - U.S. Space and Rocket Center
Utah -Space Dynamics Laboratory, L3
Florida - Kennedy, ATK and many more
Alaska - Kodiak Island

The space industry is spread out over the entire country. This list could go on and on. Saying it is only Florida and Texas that benefit is mildly absurd. I agree with the idea, but it isn't nearly as narrow as that.

It's pure paranoia to think that a web (HTTP) crawler is doing something malicious by looking for open HTTP servers. That is like saying that a SMTP crawler looking for open mail relays to add to a blacklist is doing something malicious by scanning networks looking for open SMTP servers.

Well, yah. But:

1. We have closely monitored our part of the internet for years. No other search engine behaves like this.
2. A University really, REALLY doesn't want anybody indexing all the things that respond to TCP/80. Again, Yandex is the only one trying.
3. They pay me good money for that paranoia.

And, yes, we also react to any other form of external vulnerability analysis, including TCP/25 scanning. It's funny. There is an endless number of hackers willing to find our vulnerabilities, but they almost never give us a chance to fix the problems. It's amazing the number of people trying to make a buck out of our misfortune. Here was a fun one: https://it.wiki.usu.edu/20120101_China_Test

Miles

I have seen Yandex searching wide ranges of IPs for web servers. See: https://it.wiki.usu.edu/20111007_BeEvil You may want to give some thought to blocking the Russian Google-wanna-be Yandex. They may have have flipped their 'Evil' bit. In 2012, you should not find public web servers by scanning for TCP/80 and TCP/443. If you want to find public web servers, you spider the web. Or ask Google. If you scan the internet for TCP/80 and TCP/443, you will find private management interfaces. You find printers, routers, switches, control systems, web cams, network attached storage devices, and work-flow services. You will probably find more SCADA devices than actual public web servers. The results of this search are of great interest to the hacking community. It has very limited utility for anybody else. This is not trustworthy internet behavior.

you just have to find the right one (possibly not an easy process). I attended Engineering State at Utah State University and had a lot of fun. It helped me decide between computer engineering and electrical engineering. http://www.engineering.usu.edu/htm/engineering-news/e-state

Given two equal SSH daemons, both fully updated but one on a random high port, the one listening on 22 will log hundreds or thousands of attempts per day, the one on a random port will log *zero*. Which do you think makes log auditing easier to look for truly dangerous threats?

I can second this. For years I have monitored the SSH activity at my university. Today we had 30K+ active devices and hundreds of SSH servers. I use Snort rules to detect SSH negotiation on non-standard ports. We have NEVER had an attack against a SSH server using a properly obscured SSH port. Of course, we don't depend on obscurity. Here is a snippet from our guide to setting up a SSH server: https://it.wiki.usu.edu/ssh_description

We try to use multiple overlapping security layers to protect SSH:

• Set your firewall to limit the vulnerable scope of SSH to a few trusted hosts.
• Set your firewall to prevent credential guessing by rate-limiting connections to the SSH port.
• The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
• The SSH server should not allow known usernames including root. The attacker must find a username.
• The admin is trained to create good passwords for his usernames.
• SSH users are taught to verify the identity of their systems when they first connect.
• System admins must regularly review the activity of their SSH servers.
• USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• USU has SSH Honeypots that help us respond to SSH attack.

When we reviewed the SSH activity today, we found 2 compromised systems. One had sprouted an SSH server on port 8080 and had a large community of hackers connecting to it. The other had bot C&C running over an SSH connection to the Netherlands. This review is easy when we don't look at all the crap on TCP/22.

Miles

Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.

I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric

Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.

The problem is, nobody wants to share. It's too embarrassing.

Maybe if I start?

I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:

        * Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month.
        * Torpig: 20/12677 = .00158 or about 16/10K per year. 1.3/10K per month.
        * Mebroot: 5/12677 = .00039 or about 4/10K per year. .33/10K per month.

Now, if only I could get stats from other institutions, and compare their security measures.

It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.

Miles

I just find it a bit hypocritical to say voluntary when they intend to use force.

We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.

Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:

1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselves, we could eliminate much of the internet's attacking bots, if we could get anybody to listen to us. The government could help in several ways. Once we proved ourselves, they could vouch for us. They could provide a central repository for this info so anybody could check to see if they are a bot. They could pass credible info back to the owners.

2) Security NEEDS Metrics: https://it.wiki.usu.edu/SecurityPerformanceMetric Bot Epidemiology can provide us with useful measurements that demonstrate the actual effectiveness of a security regime. But nobody is publishing the info. And, everybody who is currently measuring seems to have their own agendas. We need an cybersecurity CDC. Maybe a CSCBC. A central, accurate source of historical infection rates. Searchable by CIDR.

Miles

    You know, I've seen an increasing trend in that. "Experts" have been coming out with "studies" in fiends. Because they have "Professor" or "Doctor" somewhere near their name, they are immediately presumed to be experts in the field that they are discussing. It rarely takes much research, sometimes just reading the article, to find out that their area of expertise has nothing to do with the topic of the study.

    The article does hit both sides of it though, which is good. I couldn't find what he is currently teaching though. He's listed to be an instructor in the USU Art Department. His USU profile page doesn't really indicate much. The indicated department doesn't show him as being on the faculty nor staff.. That would be consistent with the "Emeritus" part of his title. He was a professor. He was in the art department, which doesn't seem to include any language arts.

    I did find some rough name matches, so his art field may have been photography. Beyond that, I couldn't find anything about this guy.

    So, his credentials went from sounding like an expert in the field, to "Mark Larson, retired art teacher", or more simply "Mark Larson, bored retired guy".

    You know, I've seen an increasing trend in that. "Experts" have been coming out with "studies" in fiends. Because they have "Professor" or "Doctor" somewhere near their name, they are immediately presumed to be experts in the field that they are discussing. It rarely takes much research, sometimes just reading the article, to find out that their area of expertise has nothing to do with the topic of the study.

    The article does hit both sides of it though, which is good. I couldn't find what he is currently teaching though. He's listed to be an instructor in the USU Art Department. His USU profile page doesn't really indicate much. The indicated department doesn't show him as being on the faculty nor staff.. That would be consistent with the "Emeritus" part of his title. He was a professor. He was in the art department, which doesn't seem to include any language arts.

    I did find some rough name matches, so his art field may have been photography. Beyond that, I couldn't find anything about this guy.

    So, his credentials went from sounding like an expert in the field, to "Mark Larson, retired art teacher", or more simply "Mark Larson, bored retired guy".

    You know, I've seen an increasing trend in that. "Experts" have been coming out with "studies" in fiends. Because they have "Professor" or "Doctor" somewhere near their name, they are immediately presumed to be experts in the field that they are discussing. It rarely takes much research, sometimes just reading the article, to find out that their area of expertise has nothing to do with the topic of the study.

    The article does hit both sides of it though, which is good. I couldn't find what he is currently teaching though. He's listed to be an instructor in the USU Art Department. His USU profile page doesn't really indicate much. The indicated department doesn't show him as being on the faculty nor staff.. That would be consistent with the "Emeritus" part of his title. He was a professor. He was in the art department, which doesn't seem to include any language arts.

    I did find some rough name matches, so his art field may have been photography. Beyond that, I couldn't find anything about this guy.

    So, his credentials went from sounding like an expert in the field, to "Mark Larson, retired art teacher", or more simply "Mark Larson, bored retired guy".

I think I spent way too much time tracking this down ;)

I finally found a version of it in a Japanese folktale called The Wise Old Woman by Yoshiko Uchida. Here's a version of it that looks like it was formatted for a play, but at least it's an easy read: The Wise Old Woman.

Interesting story, thank you!

Hydroponics
(Apogee) Dwarf Wheat
Thanet Earth (Guardian)
Thanet Earth (Daily Mail)
Eurofresh: in inhospitable Wilcox, AZ
Eurofresh: Air-Conditioning Greenhouses
Vertical Farm Project

Artifical light growth rates in a controlled environment (Omega Garden; also a good example of what growing indoors looks like--it's not hard to imagine a blocky wharehouse filled with these, unlikely the fanciful design in the article):

CFL (6 Kilowatts per Hour (KWH))
2 week total: 1646.4 KWH to produce 2160 units of Lettuce
Per Lettuce Unit = 0.76 KWH

LED (0.48 Kilowatt)
2 week total: 171 KWH to produce 2160 units of Lettuce
Per Lettuce Unit = 0.079 KWH

We like our visualizers. Our router guy has created 2. They are both GPL. We use them every day. I suppose you could consider them late Beta.

The IPVisualizer:
https://it.wiki.usu.edu/IPVisualizer
gives us a real-time overview of our entire IP address space. It is particularly good for revealing reconnaissance attacks.

The Organic IP Visualizer:
https://it.wiki.usu.edu/OIP
provides a focused view of the activity of a subset of our network.

Miles

We like our visualizers. Our router guy has created 2. They are both GPL. We use them every day. I suppose you could consider them late Beta.

The IPVisualizer:
https://it.wiki.usu.edu/IPVisualizer
gives us a real-time overview of our entire IP address space. It is particularly good for revealing reconnaissance attacks.

The Organic IP Visualizer:
https://it.wiki.usu.edu/OIP
provides a focused view of the activity of a subset of our network.

Miles

Seems you're right, according to AP. (And several other sites as well.) Thanks for re-educating me! Seriously, it's been a while since college, and I "remembered" that all 2-letter words should be lowercased. Doh!

How can you not know that batteries can be recycled? Do you live in a third world country or something where your government is to poor to provide a battery recycling program or something? Here is how it works, when your battery doesn't work anymore, you do not throw it in the forest or dump it in a lake. Instead, you put it in a some form of container, like this. When that container is full, it is then transported to a "battery recycling center" where the batteries are dismantled. The different alloys in the batteries are melted into their pure metallic form which are then extracted. The metals are then used to manufacture new batteries.

HTH

in this closeup. Note the little martians.

And perhaps then Stanford should then sue PARC for ripping their mouse system.

http://imrl.usu.edu/OSLO/technology_writing/004_00 3.htm

The LADA program has grown many things including cabbage, peas, radishes, etc. http://www.sdl.usu.edu/programs/lada/

Utah State University* also has open courseware as well as COSL (The Center for Open and Sustainable Learning), which is doing a lot to making the creation, remixing, and collaboration between open courses better. It also hosts the OpenEd conference.

*Disclaimer: I am a student at Utah State University

Utah State University* also has open courseware as well as COSL (The Center for Open and Sustainable Learning), which is doing a lot to making the creation, remixing, and collaboration between open courses better. It also hosts the OpenEd conference.

*Disclaimer: I am a student at Utah State University

Utah State University* also has open courseware as well as COSL (The Center for Open and Sustainable Learning), which is doing a lot to making the creation, remixing, and collaboration between open courses better. It also hosts the OpenEd conference.

*Disclaimer: I am a student at Utah State University

You really ought to look into the concept of OpenCourseWare, it's a brilliant concept. MIT's open courseware: http://ocw.mit.edu/ Center for Open and Sustainable Learning (COSL): http://cosl.usu.edu/ These initiatives are providing open-source free course materials including some video lectures available to everyone. I'm confident if you looked into the subject some more you'd see a lot more benefits than the problems you present. I'm not affiilated with MIT OCW in any way (I'm in Europe), but allow me to cut/paste a few lines from their website: >> Results have shown that: 95% of users report MIT OCW has or will help them to be more productive and effective 46% of educators have adopted MIT OCW content to improve their own teaching 38% of students use MIT OCW materials to complement a course they are taking; 34% use MIT OCW to learn about subjects outside of formal classes 56% of self-learners use MIT OCW to enhance personal knowledge; 16% use MIT OCW to stay current in their chosen field 96% of all users would recommend MIT OCW to others And we have also found that MIT OCW is having a significant impact on teaching and learning at MIT: 35% of Fall 2005 entering freshmen aware of MIT OCW prior to attending MIT indicate the site was a significant or very significant influence on their choice of school 71% of all MIT students (undergraduate and graduate) make use of MIT OCW in their research and studies 96% of MIT students using the MIT OCW site report it has had a positive or extremely positive impact on their student experience 40% of MIT faculty using MIT OCW report that the site is a helpful tool in revising/updating courses; 38% use the site for advising students http://ocw.mit.edu/OcwWeb/Global/AboutOCW/impact.h tm -- Finally allow me to adress the 'problems' you present in your post. >I'm working at a major university in the US, and have been charged with posting pod-casts of class lectures on the internet. Sounds like a great idea, but have you asked the question: Why? The problems you present and the possible solutions you provide for them leaves me with the big question of why you'd even bother with making the podcasts in the first place. It seems you want to make the podcasts available only because you have to and force people to attend the lectures and make it hard to access the podcasts. In my mind the why has this answer: To provide students with an additional ressource, a hardcopy of their lecture they can view if they: 1) Missed a lecture (sick, overslept or in some other way indisposed). Alternative is that they don't get to hear/see the lecture at all! 2) Review what the teacher went over in a lecture > The problem is whether or not posting the videos would allow students to skip class and just download the lecture, instead. Yes and that's a good thing! It makes it possible for people who are unable to attend the lectures to capture the essence of the lecture without actually beeing there. That could be because they're sick, stuck in traffic, attending another lecture or otherwise indisposed. Personally I doubt a lot of people will stay away from the lectures and solely listen to the podcasts, unless you don't gain anything additional from the lectures - and in that case: what's the problem? >I guess the problem is trying to strike the right balance between allowing good students to take advantage of this resource, but discourage bad students from staying at home all the time and watching all the lectures right before the exam. I feel this is more of a study tactics problem that you need to teach your students through your introduction to the university / study tactics. > So what methods can be used to provide these pod-casts for the students who actually attended class? In terms of when the lecture should be posted, what would be a good time-frame? Immediately after the class? 24 hours? One week? One class behind schedule? What are you trying to accomplish here? By making the podcasts avai

NASA does do things like this. I'm a sophmore electrical engineering student at Utah State University and I'm helping with USU entry in the 4th University Nanosatellite Competition http://ususat.usu.edu/. Selected universities design, build, and test small satellites and the most useful and best designed gets launched at the end.